On Tue, Nov 28, 2017 at 11:17 PM, Jerry Leichter
You could block this entire mechanism by using an external Ethernet interface and not connecting the built-in one to anything
No. Not if your "external" NIC contains one of the Intel controllers with support. These days most of Intel's have it. PCI is PCI, slotted or soldered. Caveat blobs and secret sharing, one might presume, perhaps slightly less foolishly, that other brands of controllers don't participate AMT/ME.
connecting it to a separate management network fully isolated from the Internet and carefully controlled.
Cisco, Juniper, Huawei, Chelsio, etc... all closed source TOP SECRET blobs too. When even your eyeglasses are secrets, you have no idea what truly is or is not passing right in front of them.
But not many will choose to do that because of the additional cost and likely performance implications.
First you have to get them woked to the predicament they've buried themselves in. Then deal with how to dig out of it and where to go once freed from the mire.